So is there a reason that some projects generate their own download hashes when hash generation is provided by eclipse.org downloads infrastructure?
- Konstantin From: [email protected] [mailto:[email protected]] On Behalf Of Denis Roy Sent: Tuesday, May 20, 2014 7:43 AM To: [email protected] Subject: Re: [cross-project-issues-dev] Eclipse and Equinox have moved to using SHA-2, 512 bit hashes for downloads -- Don't panic! I'm in the process of computing the sha-512 sums on the over 200,000 files in our active file index. I'll get the new sums listed alongside the existing ones on the generic "pick a mirror" page shortly. Denis On 05/20/2014 10:40 AM, David M Williams wrote: Correct. I did open <https://bugs.eclipse.org/bugs/show_bug.cgi?id=423715> Bug 423715 - move to SHA2 for p2 metadata publishing (and consumption) but that won't change for Luna ... and maybe never ... until there is pressure from some of these "government regulations" or something to motivate a a change. From: "Sievers, Jan" <mailto:[email protected]> <[email protected]> To: Cross project issues <mailto:[email protected]> <[email protected]>, Date: 05/20/2014 04:23 AM Subject: Re: [cross-project-issues-dev] Eclipse and Equinox have moved to using SHA-2, 512 bit hashes for downloads -- Don't panic! Sent by: [email protected] _____ as far as I got it this is for the eclipse.org download pages only. p2 is still using MD5 for checksums in artifacts.jar, see e.g. [1] Jan [1] <http://download.eclipse.org/releases/luna/201405090900/artifacts.jar> http://download.eclipse.org/releases/luna/201405090900/artifacts.jar From: [email protected] [ <mailto:[email protected]> mailto:[email protected]] On Behalf Of Matthias Sohn Sent: Dienstag, 20. Mai 2014 08:33 To: Cross project issues Cc: General development mailing list of the Eclipse project.; Equinox development mailing list Subject: Re: [cross-project-issues-dev] Eclipse and Equinox have moved to using SHA-2, 512 bit hashes for downloads -- Don't panic! On Tue, May 20, 2014 at 8:20 AM, David M Williams <[email protected]> wrote: I wanted to be sure everyone knew that beginning with tonight's I-build (I20140519-2000), Eclipse and Equinox have changed to provide SHA512 hashes for downloadable zips and tar files, instead of the previous MD5 and SHA1 hash sums. See the references in <https://bugs.eclipse.org/bugs/show_bug.cgi?id=420010#c1> https://bugs.eclipse.org/bugs/show_bug.cgi?id=420010#c1 for why it's a bad idea to continue to rely on MD5 and SHA1. Our "conversion" and plan is documented in bug 423714 <https://bugs.eclipse.org/bugs/show_bug.cgi?id=423714> https://bugs.eclipse.org/bugs/show_bug.cgi?id=423714 The disadvantage of using such a large hash is that its not something you can "verify" just by "looking at it" ... but ... insecure is insecure, and it is a pretty easy task to automate (and is a LOT easier, once you have done that). See <https://wiki.eclipse.org/Platform-releng/How_to_check_integrity_of_download s> https://wiki.eclipse.org/Platform-releng/How_to_check_integrity_of_downloads for "instructions" and links to tools. Feel free to contribute to that page if anyone has any "general purpose" scripts that others could use or know of other tools that would be handy to know about. Now -- here's where your feedback is needed -- we'd actually like to stop producing the MD5 and SHA1 checksums, say, a month after Luna release ... but if if this is just too disruptive or doesn't work for someone, please comment in <https://bugs.eclipse.org/bugs/show_bug.cgi?id=423714> Bug 423714 explaining. In the mean time, we do not "link" to the old MD5 or SHA1 checksums from the download page, but they are still there ... right where they always were ... to make sure we don't suddenly break someone's scripts or builds. And if you do rely on them now, we hope you can convert after the Luna release (if not before). Do feel free to comment in the bug, if this has some negative consequence we have not anticipated ... but, my guess is that anyone who cares about them in the first place will appreciate the modernization. My new slogan: Test early, test often, and practice safe computing! Thanks, could you share how platform generates SHA512 checksums from Maven / Tycho ? This would be interesting for other projects which want to update their builds as well. -- Matthias _______________________________________________ cross-project-issues-dev mailing list [email protected] <https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev> https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev _______________________________________________ cross-project-issues-dev mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________ cross-project-issues-dev mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
